Privilege Escalation — The Questions, Linux Edition Pt. 1

During a penetration test, there are many questions that you’ll need to ask yourself. Too often, blogs that I read discuss the commands that we need to run to collect information from our target, but too often don’t go far enough to explain the questions we should be asking as we’re collecting this data or running our scripts. I want to take this opportunity to discuss why we’re looking for certain information and types of questions we should be asking ourselves along the way.

The data we’re collecting here is from a combination of the following sources:

So with this information, what questions should we be asking ourselves? What should we be searching for?

Are there any well known vulnerabilities for this operating system version?

What is the codename, are any exploits using that name instead of the version number?

What format are package names in on this operating system? For example, if we need the version of libssl development libraries, should we be searching for libssl-dev (Debian style), openssl-devel (RHEL style) or something else?

If we are on a new OS, where can we potentially read about new bugs (e.g. Ubuntu’s launchpad bug tracker).

Kernel Information

Because of the importance of the kernel to our system, we need to know as much as we can about it. g0tm1lk suggests:

What architecture is the kernel? Is it i386 (32-bit) or x86_64 (64-bit)?

What version is the kernel? Are there any exploits that target this version and architecture?

Is our initial foothold leveraging the same architecture as the target? If not, can we acquire a new shell using the correct architecture?

What versions of vmlinuz exist? As vmlinuz is the actual kernel file, can we potentially leverage an older one that is on the system?

Author Kevin Kirsche

Kevin is a Principal Security Architect with Verizon. He holds the OSCP, OSWP, OSCE, and SLAE certifications. He is interested in learning more about building exploits and advanced penetration testing concepts.